CRLF Injection in HackerOne Program - $300 Bounty
As a bug bounty hunter, I’m always on the lookout for security vulnerabilities that I can report to companies and earn rewards. Recently, I discovered a CRLF injection vulnerability on a popular website through the HackerOne platform, and in this blog post, I’m going to share how I found it and the impact it had.
What is CRLF Injection?
CRLF stands for “Carriage Return Line Feed,” which are special characters used to represent the end of a line in various protocols, including HTTP. An attacker can inject CRLF characters into an HTTP header, which can lead to various attacks, such as:
- HTTP Response Splitting
- Cross-Site Scripting (XSS)
- Cookie Manipulation
My Approach to Bug Hunting
While hunting, I always start with subdomain discovery. My process includes:
- Finding active domains
- Port scanning
- Enumerating subdomains of subdomains
Finally, I filter active URLs, and by the end of the process, I usually have 1000+ URLs ready for further testing.
Finding CRLF Injection
To detect CRLF injection, I send an HTTP GET request with the following payload:
http://example.com/%0D%0ATest-Header:karthithehackerHowever, manually testing all 1000+ URLs and checking the response headers is impractical.
Automating the Process
To solve this, I created a Python script that automates the entire process. The best part is that if it detects a vulnerability, it immediately sends me a Telegram notification with the payload data.
You can install it on your machine by running the following command:
pip install crlfi
crlfi -h
It is supported on Windows, Mac, and Linux. To learn more about how to use it, visit my GitHub repository:
https://github.com/Cappricio-Securities/crlfi
Technical Analysis
After a few minutes of scanning, I identified a vulnerable endpoint. I noticed that the Location header value was not properly sanitized, allowing me to inject CRLF characters using a simple payload like:
http://example.com/%0D%0ATest-Header:karthithehackerThis vulnerability allowed me to manipulate the server’s response and inject arbitrary content, such as fake headers or even JavaScript code.
Impact of the Vulnerability
To demonstrate the impact, I created a proof of concept that injected a fake Set-Cookie header into the response. This could be exploited for:
- Session Hijacking: Stealing session cookies.
- Header Manipulation: Injecting fake HTTP headers.
- Security Bypass: Deactivating security features.
I reported the vulnerability to the company through HackerOne, and they confirmed it, awarding me a $300 bounty ($250 + $50 bonus).
Tip: Try downgrading HTTPS to HTTP and injecting CRLF payloads.
PoC Video
Conclusion
CRLF injection is a powerful technique that attackers can use to manipulate HTTP headers and perform various attacks. By understanding how it works and how to prevent it, we can help make the web a safer place for everyone.
